topic Error in rex in Splunk Search

Error in rex

geetanjali — Fri, 13 May 2011 05:48:46 GMT

Hi,

I am trying to extract fields using rex. I want to display graph according to guestname (kitoa01,kitoa05).

The log file path is :

C:\opt\app\samba\mnt\powersupply\kitoa01\KITOPS01

C:\opt\app\samba\mnt\powersupply\kitoa05\KITOPS05

And i have indexed data with host_segment=7. Bcoz KITOPS01,KITOPS05 are hostnames.If i am searching data by host,it is working fine.

but i need to extract by guest name.I am trying this query:

index="dummy" sourcetype="power_dummy" | rex field=source "(((?<kit>([^\]+))\)+?)" | search guest="$guestname$" | timechart max(Power_consumption) by host

its giving me error : Error in 'rex' command: Encountered the following error while compiling the regex '(((?<kit>([^\]+))\)+?)': Regex: syntax error in subpattern name (missing terminator)

Re: Error in rex

sideview — Fri, 13 May 2011 05:58:30 GMT

I suspect that you meant to have backslashes in the rex instead of forward slashes, but that you used forward slashes because the answers site tends to swallow backslashes?

In the answers site you need to type two consecutive backslashes if you want the site to print a single backslash. UNLESS the text is wrapped in backtick characters (`) or indented with 4 spaces.

And the answer is somewhat similar in the search language -- in the rex command and in the search language in general, you have to type in two consecutive backslash characters whenever you mean to send a single backslash character. Hence the correct search to copy and paste should be:

index="dummy" sourcetype="power_dummy" | rex field=source "(((?<kit>([^\\]+))\\)+?)" | search guest="$guestname$" | timechart max(Power_consumption) by host

Re: Error in rex

geetanjali — Fri, 13 May 2011 06:15:30 GMT

Yes. In actual path, there is backslash in path. i have used the same rex for extracting guest. but it is giving 0 matching result.

I am not very much aware of regular expression.
Please help.

Re: Error in rex

sideview — Fri, 13 May 2011 16:47:03 GMT

Try again - it looks like if you indent the code sample, the answers site stops requiring backslashes to be escaped. So I had accidentally double-escaped the backslashes. Try copying and pasting the search now.

Re: Error in rex

sideview — Fri, 13 May 2011 19:06:51 GMT

NOTE: I'm not positive but since it really sounded like you had backslashes in there instead of regular slashes, I took the liberty of editing your question to have backslashes in the search and in the error message from rex...